On Thu, May 28, 2015 at 11:38:35AM +0200, A. Schulze wrote:
> The crypto weakness of the month is named "logjam".
> If you could connect to https://dhe512.zmap.io your SSL-Client / Browser
> support weak crypto.
> What does that mean for postfix?
Postfix SMTP servers should disable "export" cipher-suites:
smtpd_tls_ciphers = medium
> We setup a postfix smtp server with
>
> smtpd_tls_dh1024_param_file = /path/to/dh_512.pem
>
> and connect to that server
>
> posttls-finger -g high -c -p TLSv1.2 $testserver
>
> There is no warning about the weak DH key used by the server nor is the
> connection rejected.
Indeed, because such a policy would properly be an OpenSSL feature,
not a Postfix feature. However, the whole attack is largely
irrelevant for SMTP. Unless you're authenticating the server (DANE
or Web PKI) you're subject to MiTM attacks with or without logjam.
When the server is authenticated, it is not going to send weak DH
keys with strong ciphers. To avoid the logjam attack, configure
your own servers as above.
> Is it possible for the postfix smtp client to gather information about the
> currently used key length
> or is this hidden by the ssl library at all?
Policy about minimum key strengths for authentication and key
exchange is at the TLS library layer. Upcoming OpenSSL releases
will raise the minimum bit length for DH to 768 and then 1024 bits.
Similar logic will likely apply to RSA keys. I don't think this
logic belongs in Postfix. In any case CAs no longer sign such
weak keys, and DANE TLSA records attesting to weak keys should not
be published.
--
Viktor.
